The JWT as a Bearer token? Used with an Authorization header? -Brian
> On Mar 10, 2019, at 12:00 AM, Francois Papon <[email protected]> > wrote: > > Hi Brian, > > I'm thinking if it's possible to use JWT instead of cookie. > > I'm not sure that cookie is mandatory in api calls because an api can be > call by a backend application or another api. > > François Papon > [email protected] > >> Le 08/03/2019 à 18:40, Brian Demers a écrit : >> Using a JWT as a auth token (bearer or otherwise) should be dependent on a >> realm's implementation IMHO. >> >> Using a JWT as a session id direction is a different topic. In this case i >> don't think it would provide any benefit (but i could be wrong or missing >> something here) >> The session id would be larger (more bits in the request/response >> payloads), and on the server side you would still incur a session lookup >> from storage. >> Again, I might be misunderstanding your use-case. let me know >> >> >> On Fri, Mar 8, 2019 at 1:23 AM Francois Papon <[email protected]> >> wrote: >> >>> Yes, I'm agree about using the JWT for a remember me storage, especially >>> for APIs in a distributed / cloud environment. >>> >>> For the session id, how can we match the JWT sent by the consumer with >>> the session id? >>> >>> François Papon >>> [email protected] >>> >>>> Le 07/03/2019 à 21:44, Brian Demers a écrit : >>>> I would agree on the bearer token use cases, though that would likely be >>>> dependent on a given realm (were to validate the bearer token) >>>> >>>> I'm not sure using a JWT as the session id would add much value. We >>> would >>>> still need to look up an existing session, so the session key would just >>> be >>>> bigger? >>>> >>>> I have been thinking about how we could use JWTs for a remember me >>> storage, >>>> which might be inline with what we are doing now. (just not sure if there >>>> is a demand for it?) >>>> >>>> On Thu, Mar 7, 2019 at 12:10 PM Francois Papon < >>> [email protected]> >>>> wrote: >>>> >>>>> I think that the session cache manager is a very nice feature in Shiro >>>>> and I was thinking about using the compact representation of JWT as the >>>>> session id in the cache manager. >>>>> >>>>> This could be very usefull because we just have to decrypt the JWT on >>>>> login and store the user profil in the cache manager. >>>>> >>>>> So after that, the calls will be only check in the cache without need to >>>>> uncrypt the JWT. The session validate could also be managed by the >>>>> session scheduler. >>>>> >>>>> I think it make sense for api calls for api gateway security policies >>>>> for example. >>>>> >>>>> regards, >>>>> >>>>> François Papon >>>>> [email protected] >>>>> >>>>>> Le 07/03/2019 à 00:15, Brian Demers a écrit : >>>>>> What use cases are you thinking about targeting ? >>>>>> >>>>>> >>>>>> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < >>>>> [email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> >>>>>>> I would like to start a thread about JWT. >>>>>>> >>>>>>> We already have a shiro-jaxrs module and I think it would be nice for >>>>>>> Shiro to be able to use JWT. >>>>>>> >>>>>>> There is some existing implementations (Apache CXF JOSE, Apache >>> Geronimo >>>>>>> microprofile...) and for me it make sence to have an implementation of >>>>>>> JWT in Shiro. >>>>>>> >>>>>>> Thoughts? >>>>>>> >>>>>>> regards, >>>>>>> >>>>>>> -- >>>>>>> François Papon >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> >>> >
